<xccdf:rule-result xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
xmlns:notes="http://benchmarks.cisecurity.org/notes"
xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5"
xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0"
xmlns:cc7="http://cisecurity.org/20-cc/v7.0"
xmlns:cc6="http://cisecurity.org/20-cc/v6.1"
xmlns:ciscat-checklist="http://checklists.nist.gov/xccdf/1.2"
xmlns:cc8="http://cisecurity.org/20-cc/v8.0"
xmlns="http://checklists.nist.gov/xccdf/1.2"
xmlns:xhtml="http://www.w3.org/1999/xhtml"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:scap-con="http://scap.nist.gov/schema/scap/constructs/1.2"
xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1"
xmlns:dsc="http://scap.nist.gov/schema/scap/source/1.2"
xmlns:ai="http://scap.nist.gov/schema/asset-identification/1.1"
idref="xccdf_org.cisecurity.benchmarks_rule_5.2.3.7_Ensure_unsuccessful_file_access_attempts_are_collected"
role="full"
severity="unknown"
time="2023-12-18T13:26:23.957Z"
version="1"
weight="1.0">
<xccdf:result>fail</xccdf:result>
<xccdf:ident cc7:controlURI="http://cisecurity.org/20-cc/v7.0/control/14/subcontrol/9"
system="http://cisecurity.org/20-cc/v7.0"/>
<xccdf:ident cc8:controlURI="http://cisecurity.org/20-cc/v8.0/control/8/subcontrol/5"
system="http://cisecurity.org/20-cc/v8.0"/>
<xccdf:ident system="URL">NIST SP 800-53 Rev. 5: AU-3</xccdf:ident>
<xccdf:complex-check operator="AND" negate="false">
<xccdf:complex-check operator="AND" negate="false">
<xccdf:complex-check operator="AND" negate="false">
<xccdf:complex-check operator="AND" negate="false">
<xccdf:complex-check operator="AND" negate="false">
<xccdf:complex-check operator="AND" negate="false">
<xccdf:complex-check operator="AND" negate="false">
<xccdf:complex-check operator="AND" negate="false">
<xccdf:complex-check operator="AND" negate="false">
<xccdf:complex-check operator="AND" negate="false">
<xccdf:complex-check operator="AND" negate="false">
<xccdf:complex-check operator="AND" negate="false">
<xccdf:complex-check operator="AND" negate="false">
<xccdf:complex-check operator="AND" negate="false">
<xccdf:complex-check operator="AND" negate="false">
<xccdf:complex-check operator="AND" negate="false">
<xccdf:complex-check operator="AND" negate="false">
<xccdf:complex-check operator="AND" negate="false">
<xccdf:complex-check operator="AND" negate="false">
<xccdf:check system="http://open-scap.org/page/SCE"
negate="false"
multi-check="false">
<xccdf:check-export export-name="XCCDF_VALUE_REGEX"
value-id="xccdf_org.cisecurity.benchmarks_value_3995071_var"/>
<xccdf:check-content-ref href="sce/nix_auditd_rule_chk.sh"/>
<xccdf:check-content>
<command_result href="sce/nix_auditd_rule_chk.sh"
xccdf="fail"
script="/root/cis/Assessor/sce/nix_auditd_rule_chk.sh"
exit-value="102">
<out>
<l>FAILED</l>
<l>No auditd rules were found in any /etc/audit/rules.d/*.rules file matching the regular expression:</l>
<l>"^\h*-a\h+(always,exit|exit,always)\h+-F\h+arch=b32\h+-S\h+([^#</l>
<l/>
<l>]+,)?open((,\H+)+|(\h+-S\h+\H+)+)?\h+-F\h+(exit=-EACCES|-EACCES=exit)\h+-F\h+auid>=1000\h+-F\h+(auid!=(unset|-1|4294967295)|(unset|-1|4294967295)!=auid)\h+(-k\h+\H+|-F\h*key=\H+)\h*(#.*)?$"</l>
<l/>
<l>No auditd rules were found in the running config matching the regular expression:</l>
<l>"^\h*-a\h+(always,exit|exit,always)\h+-F\h+arch=b32\h+-S\h+([^#</l>
<l/>
<l>]+,)?open((,\H+)+|(\h+-S\h+\H+)+)?\h+-F\h+(exit=-EACCES|-EACCES=exit)\h+-F\h+auid>=1000\h+-F\h+(auid!=(unset|-1|4294967295)|(unset|-1|4294967295)!=auid)\h+(-k\h+\H+|-F\h*key=\H+)\h*(#.*)?$"</l>
<l/>
</out>
<err>
<l>/root/cis/Assessor/sce/nix_auditd_rule_chk.sh: line 27: auditctl: command not found</l>
</err>
<env/>
</command_result>
</xccdf:check-content>
<evidence xmlns="http://cisecurity.org/evidence">
<div class="sce">
<table class="evidence-sep" width="100%">
<tbody class="tbe">
<tr>
<td class="bold">Script:</td>
<td>sce/nix_auditd_rule_chk.sh</td>
</tr>
<tr>
<td class="bold">Result:</td>
<td class="fail">Fail</td>
</tr>
<tr>
<td class="bold">Exit Value:</td>
<td>102</td>
</tr>
</tbody>
</table>
<table class="evidence" width="100%">
<tbody class="tbe">
<tr>
<td class="bold">Output:</td>
<td>
<ul class="unstyled">
<li>FAILED</li>
<li>No auditd rules were found in any /etc/audit/rules.d/*.rules file matching the regular expression:</li>
<li>"^\h*-a\h+(always,exit|exit,always)\h+-F\h+arch=b32\h+-S\h+([^#</li>
<li/>
<li>]+,)?open((,\H+)+|(\h+-S\h+\H+)+)?\h+-F\h+(exit=-EACCES|-EACCES=exit)\h+-F\h+auid>=1000\h+-F\h+(auid!=(unset|-1|4294967295)|(unset|-1|4294967295)!=auid)\h+(-k\h+\H+|-F\h*key=\H+)\h*(#.*)?$"</li>
<li/>
<li>No auditd rules were found in the running config matching the regular expression:</li>
<li>"^\h*-a\h+(always,exit|exit,always)\h+-F\h+arch=b32\h+-S\h+([^#</li>
<li/>
<li>]+,)?open((,\H+)+|(\h+-S\h+\H+)+)?\h+-F\h+(exit=-EACCES|-EACCES=exit)\h+-F\h+auid>=1000\h+-F\h+(auid!=(unset|-1|4294967295)|(unset|-1|4294967295)!=auid)\h+(-k\h+\H+|-F\h*key=\H+)\h*(#.*)?$"</li>
<li/>
</ul>
</td>
</tr>
</tbody>
</table>
<table class="evidence" width="100%">
<tbody class="tbe">
<tr>
<td class="bold">Errors:</td>
<td>
<ul>
<li>/root/cis/Assessor/sce/nix_auditd_rule_chk.sh: line 27: auditctl: command not found</li>
</ul>
</td>
</tr>
</tbody>
</table>
</div>
</evidence>
</xccdf:check>
<xccdf:check system="http://open-scap.org/page/SCE"
negate="false"
multi-check="false">
<xccdf:check-export export-name="XCCDF_VALUE_REGEX"
value-id="xccdf_org.cisecurity.benchmarks_value_3995074_var"/>
<xccdf:check-content-ref href="sce/nix_auditd_rule_chk.sh"/>
<xccdf:check-content>
<command_result href="sce/nix_auditd_rule_chk.sh"
xccdf="fail"
script="/root/cis/Assessor/sce/nix_auditd_rule_chk.sh"
exit-value="102">
<out>
<l>FAILED</l>
<l>No auditd rules were found in any /etc/audit/rules.d/*.rules file matching the regular expression:</l>
<l>"^\h*-a\h+(always,exit|exit,always)\h+-F\h+arch=b32\h+-S\h+([^#</l>
<l/>
<l>]+,)?truncate((,\H+)+|(\h+-S\h+\H+)+)?\h+-F\h+(exit=-EACCES|-EACCES=exit)\h+-F\h+auid>=1000\h+-F\h+(auid!=(unset|-1|4294967295)|(unset|-1|4294967295)!=auid)\h+(-k\h+\H+|-F\h*key=\H+)\h*(#.*)?$"</l>
<l/>
<l>No auditd rules were found in the running config matching the regular expression:</l>
<l>"^\h*-a\h+(always,exit|exit,always)\h+-F\h+arch=b32\h+-S\h+([^#</l>
<l/>
<l>]+,)?truncate((,\H+)+|(\h+-S\h+\H+)+)?\h+-F\h+(exit=-EACCES|-EACCES=exit)\h+-F\h+auid>=1000\h+-F\h+(auid!=(unset|-1|4294967295)|(unset|-1|4294967295)!=auid)\h+(-k\h+\H+|-F\h*key=\H+)\h*(#.*)?$"</l>
<l/>
</out>
<err>
<l>/root/cis/Assessor/sce/nix_auditd_rule_chk.sh: line 27: auditctl: command not found</l>
</err>
<env/>
</command_result>
</xccdf:check-content>
<evidence xmlns="http://cisecurity.org/evidence">
<div class="sce">
<table class="evidence-sep" width="100%">
<tbody class="tbe">
<tr>
<td class="bold">Script:</td>
<td>sce/nix_auditd_rule_chk.sh</td>
</tr>
<tr>
<td class="bold">Result:</td>
<td class="fail">Fail</td>
</tr>
<tr>
<td class="bold">Exit Value:</td>
<td>102</td>
</tr>
</tbody>
</table>
<table class="evidence" width="100%">
<tbody class="tbe">
<tr>
<td class="bold">Output:</td>
<td>
<ul class="unstyled">
<li>FAILED</li>
<li>No auditd rules were found in any /etc/audit/rules.d/*.rules file matching the regular expression:</li>
<li>"^\h*-a\h+(always,exit|exit,always)\h+-F\h+arch=b32\h+-S\h+([^#</li>
<li/>
<li>]+,)?truncate((,\H+)+|(\h+-S\h+\H+)+)?\h+-F\h+(exit=-EACCES|-EACCES=exit)\h+-F\h+auid>=1000\h+-F\h+(auid!=(unset|-1|4294967295)|(unset|-1|4294967295)!=auid)\h+(-k\h+\H+|-F\h*key=\H+)\h*(#.*)?$"</li>
<li/>
<li>No auditd rules were found in the running config matching the regular expression:</li>
<li>"^\h*-a\h+(always,exit|exit,always)\h+-F\h+arch=b32\h+-S\h+([^#</li>
<li/>
<li>]+,)?truncate((,\H+)+|(\h+-S\h+\H+)+)?\h+-F\h+(exit=-EACCES|-EACCES=exit)\h+-F\h+auid>=1000\h+-F\h+(auid!=(unset|-1|4294967295)|(unset|-1|4294967295)!=auid)\h+(-k\h+\H+|-F\h*key=\H+)\h*(#.*)?$"</li>
<li/>
</ul>
</td>
</tr>
</tbody>
</table>
<table class="evidence" width="100%">
<tbody class="tbe">
<tr>
<td class="bold">Errors:</td>
<td>
<ul>
<li>/root/cis/Assessor/sce/nix_auditd_rule_chk.sh: line 27: auditctl: command not found</li>
</ul>
</td>
</tr>
</tbody>
</table>
</div>
</evidence>
</xccdf:check>
</xccdf:complex-check>
<xccdf:check system="http://open-scap.org/page/SCE"
negate="false"
multi-check="false">
<xccdf:check-export export-name="XCCDF_VALUE_REGEX"
value-id="xccdf_org.cisecurity.benchmarks_value_3995077_var"/>
<xccdf:check-content-ref href="sce/nix_auditd_rule_chk.sh"/>
<xccdf:check-content>
<command_result href="sce/nix_auditd_rule_chk.sh"
xccdf="fail"
script="/root/cis/Assessor/sce/nix_auditd_rule_chk.sh"
exit-value="102">
<out>
<l>FAILED</l>
<l>No auditd rules were found in any /etc/audit/rules.d/*.rules file matching the regular expression:</l>
<l>"^\h*-a\h+(always,exit|exit,always)\h+-F\h+arch=b32\h+-S\h+([^#</l>
<l/>
<l>]+,)?ftruncate((,\H+)+|(\h+-S\h+\H+)+)?\h+-F\h+(exit=-EACCES|-EACCES=exit)\h+-F\h+auid>=1000\h+-F\h+(auid!=(unset|-1|4294967295)|(unset|-1|4294967295)!=auid)\h+(-k\h+\H+|-F\h*key=\H+)\h*(#.*)?$"</l>
<l/>
<l>No auditd rules were found in the running config matching the regular expression:</l>
<l>"^\h*-a\h+(always,exit|exit,always)\h+-F\h+arch=b32\h+-S\h+([^#</l>
<l/>
<l>]+,)?ftruncate((,\H+)+|(\h+-S\h+\H+)+)?\h+-F\h+(exit=-EACCES|-EACCES=exit)\h+-F\h+auid>=1000\h+-F\h+(auid!=(unset|-1|4294967295)|(unset|-1|4294967295)!=auid)\h+(-k\h+\H+|-F\h*key=\H+)\h*(#.*)?$"</l>
<l/>
</out>
<err>
<l>/root/cis/Assessor/sce/nix_auditd_rule_chk.sh: line 27: auditctl: command not found</l>
</err>
<env/>
</command_result>
</xccdf:check-content>
<evidence xmlns="http://cisecurity.org/evidence">
<div class="sce">
<table class="evidence-sep" width="100%">
<tbody class="tbe">
<tr>
<td class="bold">Script:</td>
<td>sce/nix_auditd_rule_chk.sh</td>
</tr>
<tr>
<td class="bold">Result:</td>
<td class="fail">Fail</td>
</tr>
<tr>
<td class="bold">Exit Value:</td>
<td>102</td>
</tr>
</tbody>
</table>
<table class="evidence" width="100%">
<tbody class="tbe">
<tr>
<td class="bold">Output:</td>
<td>
<ul class="unstyled">
<li>FAILED</li>
<li>No auditd rules were found in any /etc/audit/rules.d/*.rules file matching the regular expression:</li>
<li>"^\h*-a\h+(always,exit|exit,always)\h+-F\h+arch=b32\h+-S\h+([^#</li>
<li/>
<li>]+,)?ftruncate((,\H+)+|(\h+-S\h+\H+)+)?\h+-F\h+(exit=-EACCES|-EACCES=exit)\h+-F\h+auid>=1000\h+-F\h+(auid!=(unset|-1|4294967295)|(unset|-1|4294967295)!=auid)\h+(-k\h+\H+|-F\h*key=\H+)\h*(#.*)?$"</li>
<li/>
<li>No auditd rules were found in the running config matching the regular expression:</li>
<li>"^\h*-a\h+(always,exit|exit,always)\h+-F\h+arch=b32\h+-S\h+([^#</li>
<li/>
<li>]+,)?ftruncate((,\H+)+|(\h+-S\h+\H+)+)?\h+-F\h+(exit=-EACCES|-EACCES=exit)\h+-F\h+auid>=1000\h+-F\h+(auid!=(unset|-1|4294967295)|(unset|-1|4294967295)!=auid)\h+(-k\h+\H+|-F\h*key=\H+)\h*(#.*)?$"</li>
<li/>
</ul>
</td>
</tr>
</tbody>
</table>
<table class="evidence" width="100%">
<tbody class="tbe">
<tr>
<td class="bold">Errors:</td>
<td>
<ul>
<li>/root/cis/Assessor/sce/nix_auditd_rule_chk.sh: line 27: auditctl: command not found</li>
</ul>
</td>
</tr>
</tbody>
</table>
</div>
</evidence>
</xccdf:check>
</xccdf:complex-check>
<xccdf:check system="http://open-scap.org/page/SCE"
negate="false"
multi-check="false">
<xccdf:check-export export-name="XCCDF_VALUE_REGEX"
value-id="xccdf_org.cisecurity.benchmarks_value_3995079_var"/>
<xccdf:check-content-ref href="sce/nix_auditd_rule_chk.sh"/>
<xccdf:check-content>
<command_result href="sce/nix_auditd_rule_chk.sh"
xccdf="fail"
script="/root/cis/Assessor/sce/nix_auditd_rule_chk.sh"
exit-value="102">
<out>
<l>FAILED</l>
<l>No auditd rules were found in any /etc/audit/rules.d/*.rules file matching the regular expression:</l>
<l>"^\h*-a\h+(always,exit|exit,always)\h+-F\h+arch=b32\h+-S\h+([^#</l>
<l/>
<l>]+,)?creat((,\H+)+|(\h+-S\h+\H+)+)?\h+-F\h+(exit=-EACCES|-EACCES=exit)\h+-F\h+auid>=1000\h+-F\h+(auid!=(unset|-1|4294967295)|(unset|-1|4294967295)!=auid)\h+(-k\h+\H+|-F\h*key=\H+)\h*(#.*)?$"</l>
<l/>
<l>No auditd rules were found in the running config matching the regular expression:</l>
<l>"^\h*-a\h+(always,exit|exit,always)\h+-F\h+arch=b32\h+-S\h+([^#</l>
<l/>
<l>]+,)?creat((,\H+)+|(\h+-S\h+\H+)+)?\h+-F\h+(exit=-EACCES|-EACCES=exit)\h+-F\h+auid>=1000\h+-F\h+(auid!=(unset|-1|4294967295)|(unset|-1|4294967295)!=auid)\h+(-k\h+\H+|-F\h*key=\H+)\h*(#.*)?$"</l>
<l/>
</out>
<err>
<l>/root/cis/Assessor/sce/nix_auditd_rule_chk.sh: line 27: auditctl: command not found</l>
</err>
<env/>
</command_result>
</xccdf:check-content>
<evidence xmlns="http://cisecurity.org/evidence">
<div class="sce">
<table class="evidence-sep" width="100%">
<tbody class="tbe">
<tr>
<td class="bold">Script:</td>
<td>sce/nix_auditd_rule_chk.sh</td>
</tr>
<tr>
<td class="bold">Result:</td>
<td class="fail">Fail</td>
</tr>
<tr>
<td class="bold">Exit Value:</td>
<td>102</td>
</tr>
</tbody>
</table>
<table class="evidence" width="100%">
<tbody class="tbe">
<tr>
<td class="bold">Output:</td>
<td>
<ul class="unstyled">
<li>FAILED</li>
<li>No auditd rules were found in any /etc/audit/rules.d/*.rules file matching the regular expression:</li>
<li>"^\h*-a\h+(always,exit|exit,always)\h+-F\h+arch=b32\h+-S\h+([^#</li>
<li/>
<li>]+,)?creat((,\H+)+|(\h+-S\h+\H+)+)?\h+-F\h+(exit=-EACCES|-EACCES=exit)\h+-F\h+auid>=1000\h+-F\h+(auid!=(unset|-1|4294967295)|(unset|-1|4294967295)!=auid)\h+(-k\h+\H+|-F\h*key=\H+)\h*(#.*)?$"</li>
<li/>
<li>No auditd rules were found in the running config matching the regular expression:</li>
<li>"^\h*-a\h+(always,exit|exit,always)\h+-F\h+arch=b32\h+-S\h+([^#</li>
<li/>
<li>]+,)?creat((,\H+)+|(\h+-S\h+\H+)+)?\h+-F\h+(exit=-EACCES|-EACCES=exit)\h+-F\h+auid>=1000\h+-F\h+(auid!=(unset|-1|4294967295)|(unset|-1|4294967295)!=auid)\h+(-k\h+\H+|-F\h*key=\H+)\h*(#.*)?$"</li>
<li/>
</ul>
</td>
</tr>
</tbody>
</table>
<table class="evidence" width="100%">
<tbody class="tbe">
<tr>
<td class="bold">Errors:</td>
<td>
<ul>
<li>/root/cis/Assessor/sce/nix_auditd_rule_chk.sh: line 27: auditctl: command not found</li>
</ul>
</td>
</tr>
</tbody>
</table>
</div>
</evidence>
</xccdf:check>
</xccdf:complex-check>
<xccdf:check system="http://open-scap.org/page/SCE"
negate="false"
multi-check="false">
<xccdf:check-export export-name="XCCDF_VALUE_REGEX"
value-id="xccdf_org.cisecurity.benchmarks_value_3995083_var"/>
<xccdf:check-content-ref href="sce/nix_auditd_rule_chk.sh"/>
<xccdf:check-content>
<command_result href="sce/nix_auditd_rule_chk.sh"
xccdf="fail"
script="/root/cis/Assessor/sce/nix_auditd_rule_chk.sh"
exit-value="102">
<out>
<l>FAILED</l>
<l>No auditd rules were found in any /etc/audit/rules.d/*.rules file matching the regular expression:</l>
<l>"^\h*-a\h+(always,exit|exit,always)\h+-F\h+arch=b32\h+-S\h+([^#</l>
<l/>
<l>]+,)?openat((,\H+)+|(\h+-S\h+\H+)+)?\h+-F\h+(exit=-EACCES|-EACCES=exit)\h+-F\h+auid>=1000\h+-F\h+(auid!=(unset|-1|4294967295)|(unset|-1|4294967295)!=auid)\h+(-k\h+\H+|-F\h*key=\H+)\h*(#.*)?$"</l>
<l/>
<l>No auditd rules were found in the running config matching the regular expression:</l>
<l>"^\h*-a\h+(always,exit|exit,always)\h+-F\h+arch=b32\h+-S\h+([^#</l>
<l/>
<l>]+,)?openat((,\H+)+|(\h+-S\h+\H+)+)?\h+-F\h+(exit=-EACCES|-EACCES=exit)\h+-F\h+auid>=1000\h+-F\h+(auid!=(unset|-1|4294967295)|(unset|-1|4294967295)!=auid)\h+(-k\h+\H+|-F\h*key=\H+)\h*(#.*)?$"</l>
<l/>
</out>
<err>
<l>/root/cis/Assessor/sce/nix_auditd_rule_chk.sh: line 27: auditctl: command not found</l>
</err>
<env/>
</command_result>
</xccdf:check-content>
<evidence xmlns="http://cisecurity.org/evidence">
<div class="sce">
<table class="evidence-sep" width="100%">
<tbody class="tbe">
<tr>
<td class="bold">Script:</td>
<td>sce/nix_auditd_rule_chk.sh</td>
</tr>
<tr>
<td class="bold">Result:</td>
<td class="fail">Fail</td>
</tr>
<tr>
<td class="bold">Exit Value:</td>
<td>102</td>
</tr>
</tbody>
</table>
<table class="evidence" width="100%">
<tbody class="tbe">
<tr>
<td class="bold">Output:</td>
<td>
<ul class="unstyled">
<li>FAILED</li>
<li>No auditd rules were found in any /etc/audit/rules.d/*.rules file matching the regular expression:</li>
<li>"^\h*-a\h+(always,exit|exit,always)\h+-F\h+arch=b32\h+-S\h+([^#</li>
<li/>
<li>]+,)?openat((,\H+)+|(\h+-S\h+\H+)+)?\h+-F\h+(exit=-EACCES|-EACCES=exit)\h+-F\h+auid>=1000\h+-F\h+(auid!=(unset|-1|4294967295)|(unset|-1|4294967295)!=auid)\h+(-k\h+\H+|-F\h*key=\H+)\h*(#.*)?$"</li>
<li/>
<li>No auditd rules were found in the running config matching the regular expression:</li>
<li>"^\h*-a\h+(always,exit|exit,always)\h+-F\h+arch=b32\h+-S\h+([^#</li>
<li/>
<li>]+,)?openat((,\H+)+|(\h+-S\h+\H+)+)?\h+-F\h+(exit=-EACCES|-EACCES=exit)\h+-F\h+auid>=1000\h+-F\h+(auid!=(unset|-1|4294967295)|(unset|-1|4294967295)!=auid)\h+(-k\h+\H+|-F\h*key=\H+)\h*(#.*)?$"</li>
<li/>
</ul>
</td>
</tr>
</tbody>
</table>
<table class="evidence" width="100%">
<tbody class="tbe">
<tr>
<td class="bold">Errors:</td>
<td>
<ul>
<li>/root/cis/Assessor/sce/nix_auditd_rule_chk.sh: line 27: auditctl: command not found</li>
</ul>
</td>
</tr>
</tbody>
</table>
</div>
</evidence>
</xccdf:check>
</xccdf:complex-check>
<xccdf:check system="http://open-scap.org/page/SCE"
negate="false"
multi-check="false">
<xccdf:check-export export-name="XCCDF_VALUE_REGEX"
value-id="xccdf_org.cisecurity.benchmarks_value_3995088_var"/>
<xccdf:check-content-ref href="sce/nix_auditd_rule_chk.sh"/>
<xccdf:check-content>
<command_result href="sce/nix_auditd_rule_chk.sh"
xccdf="fail"
script="/root/cis/Assessor/sce/nix_auditd_rule_chk.sh"
exit-value="102">
<out>
<l>FAILED</l>
<l>No auditd rules were found in any /etc/audit/rules.d/*.rules file matching the regular expression:</l>
<l>"^\h*-a\h+(always,exit|exit,always)\h+-F\h+arch=b32\h+-S\h+([^#</l>
<l/>
<l>]+,)?open((,\H+)+|(\h+-S\h+\H+)+)?\h+-F\h+(exit=-EPERM|-EPERM=exit)\h+-F\h+auid>=1000\h+-F\h+(auid!=(unset|-1|4294967295)|(unset|-1|4294967295)!=auid)\h+(-k\h+\H+|-F\h*key=\H+)\h*(#.*)?$"</l>
<l/>
<l>No auditd rules were found in the running config matching the regular expression:</l>
<l>"^\h*-a\h+(always,exit|exit,always)\h+-F\h+arch=b32\h+-S\h+([^#</l>
<l/>
<l>]+,)?open((,\H+)+|(\h+-S\h+\H+)+)?\h+-F\h+(exit=-EPERM|-EPERM=exit)\h+-F\h+auid>=1000\h+-F\h+(auid!=(unset|-1|4294967295)|(unset|-1|4294967295)!=auid)\h+(-k\h+\H+|-F\h*key=\H+)\h*(#.*)?$"</l>
<l/>
</out>
<err>
<l>/root/cis/Assessor/sce/nix_auditd_rule_chk.sh: line 27: auditctl: command not found</l>
</err>
<env/>
</command_result>
</xccdf:check-content>
<evidence xmlns="http://cisecurity.org/evidence">
<div class="sce">
<table class="evidence-sep" width="100%">
<tbody class="tbe">
<tr>
<td class="bold">Script:</td>
<td>sce/nix_auditd_rule_chk.sh</td>
</tr>
<tr>
<td class="bold">Result:</td>
<td class="fail">Fail</td>
</tr>
<tr>
<td class="bold">Exit Value:</td>
<td>102</td>
</tr>
</tbody>
</table>
<table class="evidence" width="100%">
<tbody class="tbe">
<tr>
<td class="bold">Output:</td>
<td>
<ul class="unstyled">
<li>FAILED</li>
<li>No auditd rules were found in any /etc/audit/rules.d/*.rules file matching the regular expression:</li>
<li>"^\h*-a\h+(always,exit|exit,always)\h+-F\h+arch=b32\h+-S\h+([^#</li>
<li/>
<li>]+,)?open((,\H+)+|(\h+-S\h+\H+)+)?\h+-F\h+(exit=-EPERM|-EPERM=exit)\h+-F\h+auid>=1000\h+-F\h+(auid!=(unset|-1|4294967295)|(unset|-1|4294967295)!=auid)\h+(-k\h+\H+|-F\h*key=\H+)\h*(#.*)?$"</li>
<li/>
<li>No auditd rules were found in the running config matching the regular expression:</li>
<li>"^\h*-a\h+(always,exit|exit,always)\h+-F\h+arch=b32\h+-S\h+([^#</li>
<li/>
<li>]+,)?open((,\H+)+|(\h+-S\h+\H+)+)?\h+-F\h+(exit=-EPERM|-EPERM=exit)\h+-F\h+auid>=1000\h+-F\h+(auid!=(unset|-1|4294967295)|(unset|-1|4294967295)!=auid)\h+(-k\h+\H+|-F\h*key=\H+)\h*(#.*)?$"</li>
<li/>
</ul>
</td>
</tr>
</tbody>
</table>
<table class="evidence" width="100%">
<tbody class="tbe">
<tr>
<td class="bold">Errors:</td>
<td>
<ul>
<li>/root/cis/Assessor/sce/nix_auditd_rule_chk.sh: line 27: auditctl: command not found</li>
</ul>
</td>
</tr>
</tbody>
</table>
</div>
</evidence>
</xccdf:check>
</xccdf:complex-check>
<xccdf:check system="http://open-scap.org/page/SCE"
negate="false"
multi-check="false">
<xccdf:check-export export-name="XCCDF_VALUE_REGEX"
value-id="xccdf_org.cisecurity.benchmarks_value_3995091_var"/>
<xccdf:check-content-ref href="sce/nix_auditd_rule_chk.sh"/>
<xccdf:check-content>
<command_result href="sce/nix_auditd_rule_chk.sh"
xccdf="fail"
script="/root/cis/Assessor/sce/nix_auditd_rule_chk.sh"
exit-value="102">
<out>
<l>FAILED</l>
<l>No auditd rules were found in any /etc/audit/rules.d/*.rules file matching the regular expression:</l>
<l>"^\h*-a\h+(always,exit|exit,always)\h+-F\h+arch=b32\h+-S\h+([^#</l>
<l/>
<l>]+,)?truncate((,\H+)+|(\h+-S\h+\H+)+)?\h+-F\h+(exit=-EPERM|-EPERM=exit)\h+-F\h+auid>=1000\h+-F\h+(auid!=(unset|-1|4294967295)|(unset|-1|4294967295)!=auid)\h+(-k\h+\H+|-F\h*key=\H+)\h*(#.*)?$"</l>
<l/>
<l>No auditd rules were found in the running config matching the regular expression:</l>
<l>"^\h*-a\h+(always,exit|exit,always)\h+-F\h+arch=b32\h+-S\h+([^#</l>
<l/>
<l>]+,)?truncate((,\H+)+|(\h+-S\h+\H+)+)?\h+-F\h+(exit=-EPERM|-EPERM=exit)\h+-F\h+auid>=1000\h+-F\h+(auid!=(unset|-1|4294967295)|(unset|-1|4294967295)!=auid)\h+(-k\h+\H+|-F\h*key=\H+)\h*(#.*)?$"</l>
<l/>
</out>
<err>
<l>/root/cis/Assessor/sce/nix_auditd_rule_chk.sh: line 27: auditctl: command not found</l>
</err>
<env/>
</command_result>
</xccdf:check-content>
<evidence xmlns="http://cisecurity.org/evidence">
<div class="sce">
<table class="evidence-sep" width="100%">
<tbody class="tbe">
<tr>
<td class="bold">Script:</td>
<td>sce/nix_auditd_rule_chk.sh</td>
</tr>
<tr>
<td class="bold">Result:</td>
<td class="fail">Fail</td>
</tr>
<tr>
<td class="bold">Exit Value:</td>
<td>102</td>
</tr>
</tbody>
</table>
<table class="evidence" width="100%">
<tbody class="tbe">
<tr>
<td class="bold">Output:</td>
<td>
<ul class="unstyled">
<li>FAILED</li>
<li>No auditd rules were found in any /etc/audit/rules.d/*.rules file matching the regular expression:</li>
<li>"^\h*-a\h+(always,exit|exit,always)\h+-F\h+arch=b32\h+-S\h+([^#</li>
<li/>
<li>]+,)?truncate((,\H+)+|(\h+-S\h+\H+)+)?\h+-F\h+(exit=-EPERM|-EPERM=exit)\h+-F\h+auid>=1000\h+-F\h+(auid!=(unset|-1|4294967295)|(unset|-1|4294967295)!=auid)\h+(-k\h+\H+|-F\h*key=\H+)\h*(#.*)?$"</li>
<li/>
<li>No auditd rules were found in the running config matching the regular expression:</li>
<li>"^\h*-a\h+(always,exit|exit,always)\h+-F\h+arch=b32\h+-S\h+([^#</li>
<li/>
<li>]+,)?truncate((,\H+)+|(\h+-S\h+\H+)+)?\h+-F\h+(exit=-EPERM|-EPERM=exit)\h+-F\h+auid>=1000\h+-F\h+(auid!=(unset|-1|4294967295)|(unset|-1|4294967295)!=auid)\h+(-k\h+\H+|-F\h*key=\H+)\h*(#.*)?$"</li>
<li/>
</ul>
</td>
</tr>
</tbody>
</table>
<table class="evidence" width="100%">
<tbody class="tbe">
<tr>
<td class="bold">Errors:</td>
<td>
<ul>
<li>/root/cis/Assessor/sce/nix_auditd_rule_chk.sh: line 27: auditctl: command not found</li>
</ul>
</td>
</tr>
</tbody>
</table>
</div>
</evidence>
</xccdf:check>
</xccdf:complex-check>
<xccdf:check system="http://open-scap.org/page/SCE"
negate="false"
multi-check="false">
<xccdf:check-export export-name="XCCDF_VALUE_REGEX"
value-id="xccdf_org.cisecurity.benchmarks_value_3995093_var"/>
<xccdf:check-content-ref href="sce/nix_auditd_rule_chk.sh"/>
<xccdf:check-content>
<command_result href="sce/nix_auditd_rule_chk.sh"
xccdf="fail"
script="/root/cis/Assessor/sce/nix_auditd_rule_chk.sh"
exit-value="102">
<out>
<l>FAILED</l>
<l>No auditd rules were found in any /etc/audit/rules.d/*.rules file matching the regular expression:</l>
<l>"^\h*-a\h+(always,exit|exit,always)\h+-F\h+arch=b32\h+-S\h+([^#</l>
<l/>
<l>]+,)?ftruncate((,\H+)+|(\h+-S\h+\H+)+)?\h+-F\h+(exit=-EPERM|-EPERM=exit)\h+-F\h+auid>=1000\h+-F\h+(auid!=(unset|-1|4294967295)|(unset|-1|4294967295)!=auid)\h+(-k\h+\H+|-F\h*key=\H+)\h*(#.*)?$"</l>
<l/>
<l>No auditd rules were found in the running config matching the regular expression:</l>
<l>"^\h*-a\h+(always,exit|exit,always)\h+-F\h+arch=b32\h+-S\h+([^#</l>
<l/>
<l>]+,)?ftruncate((,\H+)+|(\h+-S\h+\H+)+)?\h+-F\h+(exit=-EPERM|-EPERM=exit)\h+-F\h+auid>=1000\h+-F\h+(auid!=(unset|-1|4294967295)|(unset|-1|4294967295)!=auid)\h+(-k\h+\H+|-F\h*key=\H+)\h*(#.*)?$"</l>
<l/>
</out>
<err>
<l>/root/cis/Assessor/sce/nix_auditd_rule_chk.sh: line 27: auditctl: command not found</l>
</err>
<env/>
</command_result>
</xccdf:check-content>
<evidence xmlns="http://cisecurity.org/evidence">
<div class="sce">
<table class="evidence-sep" width="100%">
<tbody class="tbe">
<tr>
<td class="bold">Script:</td>
<td>sce/nix_auditd_rule_chk.sh</td>
</tr>
<tr>
<td class="bold">Result:</td>
<td class="fail">Fail</td>
</tr>
<tr>
<td class="bold">Exit Value:</td>
<td>102</td>
</tr>
</tbody>
</table>
<table class="evidence" width="100%">
<tbody class="tbe">
<tr>
<td class="bold">Output:</td>
<td>
<ul class="unstyled">
<li>FAILED</li>
<li>No auditd rules were found in any /etc/audit/rules.d/*.rules file matching the regular expression:</li>
<li>"^\h*-a\h+(always,exit|exit,always)\h+-F\h+arch=b32\h+-S\h+([^#</li>
<li/>
<li>]+,)?ftruncate((,\H+)+|(\h+-S\h+\H+)+)?\h+-F\h+(exit=-EPERM|-EPERM=exit)\h+-F\h+auid>=1000\h+-F\h+(auid!=(unset|-1|4294967295)|(unset|-1|4294967295)!=auid)\h+(-k\h+\H+|-F\h*key=\H+)\h*(#.*)?$"</li>
<li/>
<li>No auditd rules were found in the running config matching the regular expression:</li>
<li>"^\h*-a\h+(always,exit|exit,always)\h+-F\h+arch=b32\h+-S\h+([^#</li>
<li/>
<li>]+,)?ftruncate((,\H+)+|(\h+-S\h+\H+)+)?\h+-F\h+(exit=-EPERM|-EPERM=exit)\h+-F\h+auid>=1000\h+-F\h+(auid!=(unset|-1|4294967295)|(unset|-1|4294967295)!=auid)\h+(-k\h+\H+|-F\h*key=\H+)\h*(#.*)?$"</li>
<li/>
</ul>
</td>
</tr>
</tbody>
</table>
<table class="evidence" width="100%">
<tbody class="tbe">
<tr>
<td class="bold">Errors:</td>
<td>
<ul>
<li>/root/cis/Assessor/sce/nix_auditd_rule_chk.sh: line 27: auditctl: command not found</li>
</ul>
</td>
</tr>
</tbody>
</table>
</div>
</evidence>
</xccdf:check>
</xccdf:complex-check>
<xccdf:check system="http://open-scap.org/page/SCE"
negate="false"
multi-check="false">
<xccdf:check-export export-name="XCCDF_VALUE_REGEX"
value-id="xccdf_org.cisecurity.benchmarks_value_3995097_var"/>
<xccdf:check-content-ref href="sce/nix_auditd_rule_chk.sh"/>
<xccdf:check-content>
<command_result href="sce/nix_auditd_rule_chk.sh"
xccdf="fail"
script="/root/cis/Assessor/sce/nix_auditd_rule_chk.sh"
exit-value="102">
<out>
<l>FAILED</l>
<l>No auditd rules were found in any /etc/audit/rules.d/*.rules file matching the regular expression:</l>
<l>"^\h*-a\h+(always,exit|exit,always)\h+-F\h+arch=b32\h+-S\h+([^#</l>
<l/>
<l>]+,)?creat((,\H+)+|(\h+-S\h+\H+)+)?\h+-F\h+(exit=-EPERM|-EPERM=exit)\h+-F\h+auid>=1000\h+-F\h+(auid!=(unset|-1|4294967295)|(unset|-1|4294967295)!=auid)\h+(-k\h+\H+|-F\h*key=\H+)\h*(#.*)?$"</l>
<l/>
<l>No auditd rules were found in the running config matching the regular expression:</l>
<l>"^\h*-a\h+(always,exit|exit,always)\h+-F\h+arch=b32\h+-S\h+([^#</l>
<l/>
<l>]+,)?creat((,\H+)+|(\h+-S\h+\H+)+)?\h+-F\h+(exit=-EPERM|-EPERM=exit)\h+-F\h+auid>=1000\h+-F\h+(auid!=(unset|-1|4294967295)|(unset|-1|4294967295)!=auid)\h+(-k\h+\H+|-F\h*key=\H+)\h*(#.*)?$"</l>
<l/>
</out>
<err>
<l>/root/cis/Assessor/sce/nix_auditd_rule_chk.sh: line 27: auditctl: command not found</l>
</err>
<env/>
</command_result>
</xccdf:check-content>
<evidence xmlns="http://cisecurity.org/evidence">
<div class="sce">
<table class="evidence-sep" width="100%">
<tbody class="tbe">
<tr>
<td class="bold">Script:</td>
<td>sce/nix_auditd_rule_chk.sh</td>
</tr>
<tr>
<td class="bold">Result:</td>
<td class="fail">Fail</td>
</tr>
<tr>
<td class="bold">Exit Value:</td>
<td>102</td>
</tr>
</tbody>
</table>
<table class="evidence" width="100%">
<tbody class="tbe">
<tr>
<td class="bold">Output:</td>
<td>
<ul class="unstyled">
<li>FAILED</li>
<li>No auditd rules were found in any /etc/audit/rules.d/*.rules file matching the regular expression:</li>
<li>"^\h*-a\h+(always,exit|exit,always)\h+-F\h+arch=b32\h+-S\h+([^#</li>
<li/>
<li>]+,)?creat((,\H+)+|(\h+-S\h+\H+)+)?\h+-F\h+(exit=-EPERM|-EPERM=exit)\h+-F\h+auid>=1000\h+-F\h+(auid!=(unset|-1|4294967295)|(unset|-1|4294967295)!=auid)\h+(-k\h+\H+|-F\h*key=\H+)\h*(#.*)?$"</li>
<li/>
<li>No auditd rules were found in the running config matching the regular expression:</li>
<li>"^\h*-a\h+(always,exit|exit,always)\h+-F\h+arch=b32\h+-S\h+([^#</li>
<li/>
<li>]+,)?creat((,\H+)+|(\h+-S\h+\H+)+)?\h+-F\h+(exit=-EPERM|-EPERM=exit)\h+-F\h+auid>=1000\h+-F\h+(auid!=(unset|-1|4294967295)|(unset|-1|4294967295)!=auid)\h+(-k\h+\H+|-F\h*key=\H+)\h*(#.*)?$"</li>
<li/>
</ul>
</td>
</tr>
</tbody>
</table>
<table class="evidence" width="100%">
<tbody class="tbe">
<tr>
<td class="bold">Errors:</td>
<td>
<ul>
<li>/root/cis/Assessor/sce/nix_auditd_rule_chk.sh: line 27: auditctl: command not found</li>
</ul>
</td>
</tr>
</tbody>
</table>
</div>
</evidence>
</xccdf:check>
</xccdf:complex-check>
<xccdf:check system="http://open-scap.org/page/SCE"
negate="false"
multi-check="false">
<xccdf:check-export export-name="XCCDF_VALUE_REGEX"
value-id="xccdf_org.cisecurity.benchmarks_value_3995100_var"/>
<xccdf:check-content-ref href="sce/nix_auditd_rule_chk.sh"/>
<xccdf:check-content>
<command_result href="sce/nix_auditd_rule_chk.sh"
xccdf="fail"
script="/root/cis/Assessor/sce/nix_auditd_rule_chk.sh"
exit-value="102">
<out>
<l>FAILED</l>
<l>No auditd rules were found in any /etc/audit/rules.d/*.rules file matching the regular expression:</l>
<l>"^\h*-a\h+(always,exit|exit,always)\h+-F\h+arch=b32\h+-S\h+([^#</l>
<l/>
<l>]+,)?openat((,\H+)+|(\h+-S\h+\H+)+)?\h+-F\h+(exit=-EPERM|-EPERM=exit)\h+-F\h+auid>=1000\h+-F\h+(auid!=(unset|-1|4294967295)|(unset|-1|4294967295)!=auid)\h+(-k\h+\H+|-F\h*key=\H+)\h*(#.*)?$"</l>
<l/>
<l>No auditd rules were found in the running config matching the regular expression:</l>
<l>"^\h*-a\h+(always,exit|exit,always)\h+-F\h+arch=b32\h+-S\h+([^#</l>
<l/>
<l>]+,)?openat((,\H+)+|(\h+-S\h+\H+)+)?\h+-F\h+(exit=-EPERM|-EPERM=exit)\h+-F\h+auid>=1000\h+-F\h+(auid!=(unset|-1|4294967295)|(unset|-1|4294967295)!=auid)\h+(-k\h+\H+|-F\h*key=\H+)\h*(#.*)?$"</l>
<l/>
</out>
<err>
<l>/root/cis/Assessor/sce/nix_auditd_rule_chk.sh: line 27: auditctl: command not found</l>
</err>
<env/>
</command_result>
</xccdf:check-content>
<evidence xmlns="http://cisecurity.org/evidence">
<div class="sce">
<table class="evidence-sep" width="100%">
<tbody class="tbe">
<tr>
<td class="bold">Script:</td>
<td>sce/nix_auditd_rule_chk.sh</td>
</tr>
<tr>
<td class="bold">Result:</td>
<td class="fail">Fail</td>
</tr>
<tr>
<td class="bold">Exit Value:</td>
<td>102</td>
</tr>
</tbody>
</table>
<table class="evidence" width="100%">
<tbody class="tbe">
<tr>
<td class="bold">Output:</td>
<td>
<ul class="unstyled">
<li>FAILED</li>
<li>No auditd rules were found in any /etc/audit/rules.d/*.rules file matching the regular expression:</li>
<li>"^\h*-a\h+(always,exit|exit,always)\h+-F\h+arch=b32\h+-S\h+([^#</li>
<li/>
<li>]+,)?openat((,\H+)+|(\h+-S\h+\H+)+)?\h+-F\h+(exit=-EPERM|-EPERM=exit)\h+-F\h+auid>=1000\h+-F\h+(auid!=(unset|-1|4294967295)|(unset|-1|4294967295)!=auid)\h+(-k\h+\H+|-F\h*key=\H+)\h*(#.*)?$"</li>
<li/>
<li>No auditd rules were found in the running config matching the regular expression:</li>
<li>"^\h*-a\h+(always,exit|exit,always)\h+-F\h+arch=b32\h+-S\h+([^#</li>
<li/>
<li>]+,)?openat((,\H+)+|(\h+-S\h+\H+)+)?\h+-F\h+(exit=-EPERM|-EPERM=exit)\h+-F\h+auid>=1000\h+-F\h+(auid!=(unset|-1|4294967295)|(unset|-1|4294967295)!=auid)\h+(-k\h+\H+|-F\h*key=\H+)\h*(#.*)?$"</li>
<li/>
</ul>
</td>
</tr>
</tbody>
</table>
<table class="evidence" width="100%">
<tbody class="tbe">
<tr>
<td class="bold">Errors:</td>
<td>
<ul>
<li>/root/cis/Assessor/sce/nix_auditd_rule_chk.sh: line 27: auditctl: command not found</li>
</ul>
</td>
</tr>
</tbody>
</table>
</div>
</evidence>
</xccdf:check>
</xccdf:complex-check>
<xccdf:check system="http://open-scap.org/page/SCE"
negate="false"
multi-check="false">
<xccdf:check-export export-name="XCCDF_VALUE_REGEX"
value-id="xccdf_org.cisecurity.benchmarks_value_3995105_var"/>
<xccdf:check-content-ref href="sce/nix_auditd_rule_chk.sh"/>
<xccdf:check-content>
<command_result href="sce/nix_auditd_rule_chk.sh"
xccdf="fail"
script="/root/cis/Assessor/sce/nix_auditd_rule_chk.sh"
exit-value="102">
<out>
<l>FAILED</l>
<l>No auditd rules were found in any /etc/audit/rules.d/*.rules file matching the regular expression:</l>
<l>"^\h*-a\h+(always,exit|exit,always)\h+-F\h+arch=b64\h+-S\h+([^#</l>
<l/>
<l>]+,)?open((,\H+)+|(\h+-S\h+\H+)+)?\h+-F\h+(exit=-EACCES|-EACCES=exit)\h+-F\h+auid>=1000\h+-F\h+(auid!=(unset|-1|4294967295)|(unset|-1|4294967295)!=auid)\h+(-k\h+\H+|-F\h*key=\H+)\h*(#.*)?$"</l>
<l/>
<l>No auditd rules were found in the running config matching the regular expression:</l>
<l>"^\h*-a\h+(always,exit|exit,always)\h+-F\h+arch=b64\h+-S\h+([^#</l>
<l/>
<l>]+,)?open((,\H+)+|(\h+-S\h+\H+)+)?\h+-F\h+(exit=-EACCES|-EACCES=exit)\h+-F\h+auid>=1000\h+-F\h+(auid!=(unset|-1|4294967295)|(unset|-1|4294967295)!=auid)\h+(-k\h+\H+|-F\h*key=\H+)\h*(#.*)?$"</l>
<l/>
</out>
<err>
<l>/root/cis/Assessor/sce/nix_auditd_rule_chk.sh: line 27: auditctl: command not found</l>
</err>
<env/>
</command_result>
</xccdf:check-content>
<evidence xmlns="http://cisecurity.org/evidence">
<div class="sce">
<table class="evidence-sep" width="100%">
<tbody class="tbe">
<tr>
<td class="bold">Script:</td>
<td>sce/nix_auditd_rule_chk.sh</td>
</tr>
<tr>
<td class="bold">Result:</td>
<td class="fail">Fail</td>
</tr>
<tr>
<td class="bold">Exit Value:</td>
<td>102</td>
</tr>
</tbody>
</table>
<table class="evidence" width="100%">
<tbody class="tbe">
<tr>
<td class="bold">Output:</td>
<td>
<ul class="unstyled">
<li>FAILED</li>
<li>No auditd rules were found in any /etc/audit/rules.d/*.rules file matching the regular expression:</li>
<li>"^\h*-a\h+(always,exit|exit,always)\h+-F\h+arch=b64\h+-S\h+([^#</li>
<li/>
<li>]+,)?open((,\H+)+|(\h+-S\h+\H+)+)?\h+-F\h+(exit=-EACCES|-EACCES=exit)\h+-F\h+auid>=1000\h+-F\h+(auid!=(unset|-1|4294967295)|(unset|-1|4294967295)!=auid)\h+(-k\h+\H+|-F\h*key=\H+)\h*(#.*)?$"</li>
<li/>
<li>No auditd rules were found in the running config matching the regular expression:</li>
<li>"^\h*-a\h+(always,exit|exit,always)\h+-F\h+arch=b64\h+-S\h+([^#</li>
<li/>
<li>]+,)?open((,\H+)+|(\h+-S\h+\H+)+)?\h+-F\h+(exit=-EACCES|-EACCES=exit)\h+-F\h+auid>=1000\h+-F\h+(auid!=(unset|-1|4294967295)|(unset|-1|4294967295)!=auid)\h+(-k\h+\H+|-F\h*key=\H+)\h*(#.*)?$"</li>
<li/>
</ul>
</td>
</tr>
</tbody>
</table>
<table class="evidence" width="100%">
<tbody class="tbe">
<tr>
<td class="bold">Errors:</td>
<td>
<ul>
<li>/root/cis/Assessor/sce/nix_auditd_rule_chk.sh: line 27: auditctl: command not found</li>
</ul>
</td>
</tr>
</tbody>
</table>
</div>
</evidence>
</xccdf:check>
</xccdf:complex-check>
<xccdf:check system="http://open-scap.org/page/SCE"
negate="false"
multi-check="false">
<xccdf:check-export export-name="XCCDF_VALUE_REGEX"
value-id="xccdf_org.cisecurity.benchmarks_value_3995107_var"/>
<xccdf:check-content-ref href="sce/nix_auditd_rule_chk.sh"/>
<xccdf:check-content>
<command_result href="sce/nix_auditd_rule_chk.sh"
xccdf="fail"
script="/root/cis/Assessor/sce/nix_auditd_rule_chk.sh"
exit-value="102">
<out>
<l>FAILED</l>
<l>No auditd rules were found in any /etc/audit/rules.d/*.rules file matching the regular expression:</l>
<l>"^\h*-a\h+(always,exit|exit,always)\h+-F\h+arch=b64\h+-S\h+([^#</l>
<l/>
<l>]+,)?truncate((,\H+)+|(\h+-S\h+\H+)+)?\h+-F\h+(exit=-EACCES|-EACCES=exit)\h+-F\h+auid>=1000\h+-F\h+(auid!=(unset|-1|4294967295)|(unset|-1|4294967295)!=auid)\h+(-k\h+\H+|-F\h*key=\H+)\h*(#.*)?$"</l>
<l/>
<l>No auditd rules were found in the running config matching the regular expression:</l>
<l>"^\h*-a\h+(always,exit|exit,always)\h+-F\h+arch=b64\h+-S\h+([^#</l>
<l/>
<l>]+,)?truncate((,\H+)+|(\h+-S\h+\H+)+)?\h+-F\h+(exit=-EACCES|-EACCES=exit)\h+-F\h+auid>=1000\h+-F\h+(auid!=(unset|-1|4294967295)|(unset|-1|4294967295)!=auid)\h+(-k\h+\H+|-F\h*key=\H+)\h*(#.*)?$"</l>
<l/>
</out>
<err>
<l>/root/cis/Assessor/sce/nix_auditd_rule_chk.sh: line 27: auditctl: command not found</l>
</err>
<env/>
</command_result>
</xccdf:check-content>
<evidence xmlns="http://cisecurity.org/evidence">
<div class="sce">
<table class="evidence-sep" width="100%">
<tbody class="tbe">
<tr>
<td class="bold">Script:</td>
<td>sce/nix_auditd_rule_chk.sh</td>
</tr>
<tr>
<td class="bold">Result:</td>
<td class="fail">Fail</td>
</tr>
<tr>
<td class="bold">Exit Value:</td>
<td>102</td>
</tr>
</tbody>
</table>
<table class="evidence" width="100%">
<tbody class="tbe">
<tr>
<td class="bold">Output:</td>
<td>
<ul class="unstyled">
<li>FAILED</li>
<li>No auditd rules were found in any /etc/audit/rules.d/*.rules file matching the regular expression:</li>
<li>"^\h*-a\h+(always,exit|exit,always)\h+-F\h+arch=b64\h+-S\h+([^#</li>
<li/>
<li>]+,)?truncate((,\H+)+|(\h+-S\h+\H+)+)?\h+-F\h+(exit=-EACCES|-EACCES=exit)\h+-F\h+auid>=1000\h+-F\h+(auid!=(unset|-1|4294967295)|(unset|-1|4294967295)!=auid)\h+(-k\h+\H+|-F\h*key=\H+)\h*(#.*)?$"</li>
<li/>
<li>No auditd rules were found in the running config matching the regular expression:</li>
<li>"^\h*-a\h+(always,exit|exit,always)\h+-F\h+arch=b64\h+-S\h+([^#</li>
<li/>
<li>]+,)?truncate((,\H+)+|(\h+-S\h+\H+)+)?\h+-F\h+(exit=-EACCES|-EACCES=exit)\h+-F\h+auid>=1000\h+-F\h+(auid!=(unset|-1|4294967295)|(unset|-1|4294967295)!=auid)\h+(-k\h+\H+|-F\h*key=\H+)\h*(#.*)?$"</li>
<li/>
</ul>
</td>
</tr>
</tbody>
</table>
<table class="evidence" width="100%">
<tbody class="tbe">
<tr>
<td class="bold">Errors:</td>
<td>
<ul>
<li>/root/cis/Assessor/sce/nix_auditd_rule_chk.sh: line 27: auditctl: command not found</li>
</ul>
</td>
</tr>
</tbody>
</table>
</div>
</evidence>
</xccdf:check>
</xccdf:complex-check>
<xccdf:check system="http://open-scap.org/page/SCE"
negate="false"
multi-check="false">
<xccdf:check-export export-name="XCCDF_VALUE_REGEX"
value-id="xccdf_org.cisecurity.benchmarks_value_3995110_var"/>
<xccdf:check-content-ref href="sce/nix_auditd_rule_chk.sh"/>
<xccdf:check-content>
<command_result href="sce/nix_auditd_rule_chk.sh"
xccdf="fail"
script="/root/cis/Assessor/sce/nix_auditd_rule_chk.sh"
exit-value="102">
<out>
<l>FAILED</l>
<l>No auditd rules were found in any /etc/audit/rules.d/*.rules file matching the regular expression:</l>
<l>"^\h*-a\h+(always,exit|exit,always)\h+-F\h+arch=b64\h+-S\h+([^#</l>
<l/>
<l>]+,)?ftruncate((,\H+)+|(\h+-S\h+\H+)+)?\h+-F\h+(exit=-EACCES|-EACCES=exit)\h+-F\h+auid>=1000\h+-F\h+(auid!=(unset|-1|4294967295)|(unset|-1|4294967295)!=auid)\h+(-k\h+\H+|-F\h*key=\H+)\h*(#.*)?$"</l>
<l/>
<l>No auditd rules were found in the running config matching the regular expression:</l>
<l>"^\h*-a\h+(always,exit|exit,always)\h+-F\h+arch=b64\h+-S\h+([^#</l>
<l/>
<l>]+,)?ftruncate((,\H+)+|(\h+-S\h+\H+)+)?\h+-F\h+(exit=-EACCES|-EACCES=exit)\h+-F\h+auid>=1000\h+-F\h+(auid!=(unset|-1|4294967295)|(unset|-1|4294967295)!=auid)\h+(-k\h+\H+|-F\h*key=\H+)\h*(#.*)?$"</l>
<l/>
</out>
<err>
<l>/root/cis/Assessor/sce/nix_auditd_rule_chk.sh: line 27: auditctl: command not found</l>
</err>
<env/>
</command_result>
</xccdf:check-content>
<evidence xmlns="http://cisecurity.org/evidence">
<div class="sce">
<table class="evidence-sep" width="100%">
<tbody class="tbe">
<tr>
<td class="bold">Script:</td>
<td>sce/nix_auditd_rule_chk.sh</td>
</tr>
<tr>
<td class="bold">Result:</td>
<td class="fail">Fail</td>
</tr>
<tr>
<td class="bold">Exit Value:</td>
<td>102</td>
</tr>
</tbody>
</table>
<table class="evidence" width="100%">
<tbody class="tbe">
<tr>
<td class="bold">Output:</td>
<td>
<ul class="unstyled">
<li>FAILED</li>
<li>No auditd rules were found in any /etc/audit/rules.d/*.rules file matching the regular expression:</li>
<li>"^\h*-a\h+(always,exit|exit,always)\h+-F\h+arch=b64\h+-S\h+([^#</li>
<li/>
<li>]+,)?ftruncate((,\H+)+|(\h+-S\h+\H+)+)?\h+-F\h+(exit=-EACCES|-EACCES=exit)\h+-F\h+auid>=1000\h+-F\h+(auid!=(unset|-1|4294967295)|(unset|-1|4294967295)!=auid)\h+(-k\h+\H+|-F\h*key=\H+)\h*(#.*)?$"</li>
<li/>
<li>No auditd rules were found in the running config matching the regular expression:</li>
<li>"^\h*-a\h+(always,exit|exit,always)\h+-F\h+arch=b64\h+-S\h+([^#</li>
<li/>
<li>]+,)?ftruncate((,\H+)+|(\h+-S\h+\H+)+)?\h+-F\h+(exit=-EACCES|-EACCES=exit)\h+-F\h+auid>=1000\h+-F\h+(auid!=(unset|-1|4294967295)|(unset|-1|4294967295)!=auid)\h+(-k\h+\H+|-F\h*key=\H+)\h*(#.*)?$"</li>
<li/>
</ul>
</td>
</tr>
</tbody>
</table>
<table class="evidence" width="100%">
<tbody class="tbe">
<tr>
<td class="bold">Errors:</td>
<td>
<ul>
<li>/root/cis/Assessor/sce/nix_auditd_rule_chk.sh: line 27: auditctl: command not found</li>
</ul>
</td>
</tr>
</tbody>
</table>
</div>
</evidence>
</xccdf:check>
</xccdf:complex-check>
<xccdf:check system="http://open-scap.org/page/SCE"
negate="false"
multi-check="false">
<xccdf:check-export export-name="XCCDF_VALUE_REGEX"
value-id="xccdf_org.cisecurity.benchmarks_value_3995112_var"/>
<xccdf:check-content-ref href="sce/nix_auditd_rule_chk.sh"/>
<xccdf:check-content>
<command_result href="sce/nix_auditd_rule_chk.sh"
xccdf="fail"
script="/root/cis/Assessor/sce/nix_auditd_rule_chk.sh"
exit-value="102">
<out>
<l>FAILED</l>
<l>No auditd rules were found in any /etc/audit/rules.d/*.rules file matching the regular expression:</l>
<l>"^\h*-a\h+(always,exit|exit,always)\h+-F\h+arch=b64\h+-S\h+([^#</l>
<l/>
<l>]+,)?creat((,\H+)+|(\h+-S\h+\H+)+)?\h+-F\h+(exit=-EACCES|-EACCES=exit)\h+-F\h+auid>=1000\h+-F\h+(auid!=(unset|-1|4294967295)|(unset|-1|4294967295)!=auid)\h+(-k\h+\H+|-F\h*key=\H+)\h*(#.*)?$"</l>
<l/>
<l>No auditd rules were found in the running config matching the regular expression:</l>
<l>"^\h*-a\h+(always,exit|exit,always)\h+-F\h+arch=b64\h+-S\h+([^#</l>
<l/>
<l>]+,)?creat((,\H+)+|(\h+-S\h+\H+)+)?\h+-F\h+(exit=-EACCES|-EACCES=exit)\h+-F\h+auid>=1000\h+-F\h+(auid!=(unset|-1|4294967295)|(unset|-1|4294967295)!=auid)\h+(-k\h+\H+|-F\h*key=\H+)\h*(#.*)?$"</l>
<l/>
</out>
<err>
<l>/root/cis/Assessor/sce/nix_auditd_rule_chk.sh: line 27: auditctl: command not found</l>
</err>
<env/>
</command_result>
</xccdf:check-content>
<evidence xmlns="http://cisecurity.org/evidence">
<div class="sce">
<table class="evidence-sep" width="100%">
<tbody class="tbe">
<tr>
<td class="bold">Script:</td>
<td>sce/nix_auditd_rule_chk.sh</td>
</tr>
<tr>
<td class="bold">Result:</td>
<td class="fail">Fail</td>
</tr>
<tr>
<td class="bold">Exit Value:</td>
<td>102</td>
</tr>
</tbody>
</table>
<table class="evidence" width="100%">
<tbody class="tbe">
<tr>
<td class="bold">Output:</td>
<td>
<ul class="unstyled">
<li>FAILED</li>
<li>No auditd rules were found in any /etc/audit/rules.d/*.rules file matching the regular expression:</li>
<li>"^\h*-a\h+(always,exit|exit,always)\h+-F\h+arch=b64\h+-S\h+([^#</li>
<li/>
<li>]+,)?creat((,\H+)+|(\h+-S\h+\H+)+)?\h+-F\h+(exit=-EACCES|-EACCES=exit)\h+-F\h+auid>=1000\h+-F\h+(auid!=(unset|-1|4294967295)|(unset|-1|4294967295)!=auid)\h+(-k\h+\H+|-F\h*key=\H+)\h*(#.*)?$"</li>
<li/>
<li>No auditd rules were found in the running config matching the regular expression:</li>
<li>"^\h*-a\h+(always,exit|exit,always)\h+-F\h+arch=b64\h+-S\h+([^#</li>
<li/>
<li>]+,)?creat((,\H+)+|(\h+-S\h+\H+)+)?\h+-F\h+(exit=-EACCES|-EACCES=exit)\h+-F\h+auid>=1000\h+-F\h+(auid!=(unset|-1|4294967295)|(unset|-1|4294967295)!=auid)\h+(-k\h+\H+|-F\h*key=\H+)\h*(#.*)?$"</li>
<li/>
</ul>
</td>
</tr>
</tbody>
</table>
<table class="evidence" width="100%">
<tbody class="tbe">
<tr>
<td class="bold">Errors:</td>
<td>
<ul>
<li>/root/cis/Assessor/sce/nix_auditd_rule_chk.sh: line 27: auditctl: command not found</li>
</ul>
</td>
</tr>
</tbody>
</table>
</div>
</evidence>
</xccdf:check>
</xccdf:complex-check>
<xccdf:check system="http://open-scap.org/page/SCE"
negate="false"
multi-check="false">
<xccdf:check-export export-name="XCCDF_VALUE_REGEX"
value-id="xccdf_org.cisecurity.benchmarks_value_3995117_var"/>
<xccdf:check-content-ref href="sce/nix_auditd_rule_chk.sh"/>
<xccdf:check-content>
<command_result href="sce/nix_auditd_rule_chk.sh"
xccdf="fail"
script="/root/cis/Assessor/sce/nix_auditd_rule_chk.sh"
exit-value="102">
<out>
<l>FAILED</l>
<l>No auditd rules were found in any /etc/audit/rules.d/*.rules file matching the regular expression:</l>
<l>"^\h*-a\h+(always,exit|exit,always)\h+-F\h+arch=b64\h+-S\h+([^#</l>
<l/>
<l>]+,)?openat((,\H+)+|(\h+-S\h+\H+)+)?\h+-F\h+(exit=-EACCES|-EACCES=exit)\h+-F\h+auid>=1000\h+-F\h+(auid!=(unset|-1|4294967295)|(unset|-1|4294967295)!=auid)\h+(-k\h+\H+|-F\h*key=\H+)\h*(#.*)?$"</l>
<l/>
<l>No auditd rules were found in the running config matching the regular expression:</l>
<l>"^\h*-a\h+(always,exit|exit,always)\h+-F\h+arch=b64\h+-S\h+([^#</l>
<l/>
<l>]+,)?openat((,\H+)+|(\h+-S\h+\H+)+)?\h+-F\h+(exit=-EACCES|-EACCES=exit)\h+-F\h+auid>=1000\h+-F\h+(auid!=(unset|-1|4294967295)|(unset|-1|4294967295)!=auid)\h+(-k\h+\H+|-F\h*key=\H+)\h*(#.*)?$"</l>
<l/>
</out>
<err>
<l>/root/cis/Assessor/sce/nix_auditd_rule_chk.sh: line 27: auditctl: command not found</l>
</err>
<env/>
</command_result>
</xccdf:check-content>
<evidence xmlns="http://cisecurity.org/evidence">
<div class="sce">
<table class="evidence-sep" width="100%">
<tbody class="tbe">
<tr>
<td class="bold">Script:</td>
<td>sce/nix_auditd_rule_chk.sh</td>
</tr>
<tr>
<td class="bold">Result:</td>
<td class="fail">Fail</td>
</tr>
<tr>
<td class="bold">Exit Value:</td>
<td>102</td>
</tr>
</tbody>
</table>
<table class="evidence" width="100%">
<tbody class="tbe">
<tr>
<td class="bold">Output:</td>
<td>
<ul class="unstyled">
<li>FAILED</li>
<li>No auditd rules were found in any /etc/audit/rules.d/*.rules file matching the regular expression:</li>
<li>"^\h*-a\h+(always,exit|exit,always)\h+-F\h+arch=b64\h+-S\h+([^#</li>
<li/>
<li>]+,)?openat((,\H+)+|(\h+-S\h+\H+)+)?\h+-F\h+(exit=-EACCES|-EACCES=exit)\h+-F\h+auid>=1000\h+-F\h+(auid!=(unset|-1|4294967295)|(unset|-1|4294967295)!=auid)\h+(-k\h+\H+|-F\h*key=\H+)\h*(#.*)?$"</li>
<li/>
<li>No auditd rules were found in the running config matching the regular expression:</li>
<li>"^\h*-a\h+(always,exit|exit,always)\h+-F\h+arch=b64\h+-S\h+([^#</li>
<li/>
<li>]+,)?openat((,\H+)+|(\h+-S\h+\H+)+)?\h+-F\h+(exit=-EACCES|-EACCES=exit)\h+-F\h+auid>=1000\h+-F\h+(auid!=(unset|-1|4294967295)|(unset|-1|4294967295)!=auid)\h+(-k\h+\H+|-F\h*key=\H+)\h*(#.*)?$"</li>
<li/>
</ul>
</td>
</tr>
</tbody>
</table>
<table class="evidence" width="100%">
<tbody class="tbe">
<tr>
<td class="bold">Errors:</td>
<td>
<ul>
<li>/root/cis/Assessor/sce/nix_auditd_rule_chk.sh: line 27: auditctl: command not found</li>
</ul>
</td>
</tr>
</tbody>
</table>
</div>
</evidence>
</xccdf:check>
</xccdf:complex-check>
<xccdf:check system="http://open-scap.org/page/SCE"
negate="false"
multi-check="false">
<xccdf:check-export export-name="XCCDF_VALUE_REGEX"
value-id="xccdf_org.cisecurity.benchmarks_value_3995122_var"/>
<xccdf:check-content-ref href="sce/nix_auditd_rule_chk.sh"/>
<xccdf:check-content>
<command_result href="sce/nix_auditd_rule_chk.sh"
xccdf="fail"
script="/root/cis/Assessor/sce/nix_auditd_rule_chk.sh"
exit-value="102">
<out>
<l>FAILED</l>
<l>No auditd rules were found in any /etc/audit/rules.d/*.rules file matching the regular expression:</l>
<l>"^\h*-a\h+(always,exit|exit,always)\h+-F\h+arch=b64\h+-S\h+([^#</l>
<l/>
<l>]+,)?open((,\H+)+|(\h+-S\h+\H+)+)?\h+-F\h+(exit=-EPERM|-EPERM=exit)\h+-F\h+auid>=1000\h+-F\h+(auid!=(unset|-1|4294967295)|(unset|-1|4294967295)!=auid)\h+(-k\h+\H+|-F\h*key=\H+)\h*(#.*)?$"</l>
<l/>
<l>No auditd rules were found in the running config matching the regular expression:</l>
<l>"^\h*-a\h+(always,exit|exit,always)\h+-F\h+arch=b64\h+-S\h+([^#</l>
<l/>
<l>]+,)?open((,\H+)+|(\h+-S\h+\H+)+)?\h+-F\h+(exit=-EPERM|-EPERM=exit)\h+-F\h+auid>=1000\h+-F\h+(auid!=(unset|-1|4294967295)|(unset|-1|4294967295)!=auid)\h+(-k\h+\H+|-F\h*key=\H+)\h*(#.*)?$"</l>
<l/>
</out>
<err>
<l>/root/cis/Assessor/sce/nix_auditd_rule_chk.sh: line 27: auditctl: command not found</l>
</err>
<env/>
</command_result>
</xccdf:check-content>
<evidence xmlns="http://cisecurity.org/evidence">
<div class="sce">
<table class="evidence-sep" width="100%">
<tbody class="tbe">
<tr>
<td class="bold">Script:</td>
<td>sce/nix_auditd_rule_chk.sh</td>
</tr>
<tr>
<td class="bold">Result:</td>
<td class="fail">Fail</td>
</tr>
<tr>
<td class="bold">Exit Value:</td>
<td>102</td>
</tr>
</tbody>
</table>
<table class="evidence" width="100%">
<tbody class="tbe">
<tr>
<td class="bold">Output:</td>
<td>
<ul class="unstyled">
<li>FAILED</li>
<li>No auditd rules were found in any /etc/audit/rules.d/*.rules file matching the regular expression:</li>
<li>"^\h*-a\h+(always,exit|exit,always)\h+-F\h+arch=b64\h+-S\h+([^#</li>
<li/>
<li>]+,)?open((,\H+)+|(\h+-S\h+\H+)+)?\h+-F\h+(exit=-EPERM|-EPERM=exit)\h+-F\h+auid>=1000\h+-F\h+(auid!=(unset|-1|4294967295)|(unset|-1|4294967295)!=auid)\h+(-k\h+\H+|-F\h*key=\H+)\h*(#.*)?$"</li>
<li/>
<li>No auditd rules were found in the running config matching the regular expression:</li>
<li>"^\h*-a\h+(always,exit|exit,always)\h+-F\h+arch=b64\h+-S\h+([^#</li>
<li/>
<li>]+,)?open((,\H+)+|(\h+-S\h+\H+)+)?\h+-F\h+(exit=-EPERM|-EPERM=exit)\h+-F\h+auid>=1000\h+-F\h+(auid!=(unset|-1|4294967295)|(unset|-1|4294967295)!=auid)\h+(-k\h+\H+|-F\h*key=\H+)\h*(#.*)?$"</li>
<li/>
</ul>
</td>
</tr>
</tbody>
</table>
<table class="evidence" width="100%">
<tbody class="tbe">
<tr>
<td class="bold">Errors:</td>
<td>
<ul>
<li>/root/cis/Assessor/sce/nix_auditd_rule_chk.sh: line 27: auditctl: command not found</li>
</ul>
</td>
</tr>
</tbody>
</table>
</div>
</evidence>
</xccdf:check>
</xccdf:complex-check>
<xccdf:check system="http://open-scap.org/page/SCE"
negate="false"
multi-check="false">
<xccdf:check-export export-name="XCCDF_VALUE_REGEX"
value-id="xccdf_org.cisecurity.benchmarks_value_3995125_var"/>
<xccdf:check-content-ref href="sce/nix_auditd_rule_chk.sh"/>
<xccdf:check-content>
<command_result href="sce/nix_auditd_rule_chk.sh"
xccdf="fail"
script="/root/cis/Assessor/sce/nix_auditd_rule_chk.sh"
exit-value="102">
<out>
<l>FAILED</l>
<l>No auditd rules were found in any /etc/audit/rules.d/*.rules file matching the regular expression:</l>
<l>"^\h*-a\h+(always,exit|exit,always)\h+-F\h+arch=b64\h+-S\h+([^#</l>
<l/>
<l>]+,)?truncate((,\H+)+|(\h+-S\h+\H+)+)?\h+-F\h+(exit=-EPERM|-EPERM=exit)\h+-F\h+auid>=1000\h+-F\h+(auid!=(unset|-1|4294967295)|(unset|-1|4294967295)!=auid)\h+(-k\h+\H+|-F\h*key=\H+)\h*(#.*)?$"</l>
<l/>
<l>No auditd rules were found in the running config matching the regular expression:</l>
<l>"^\h*-a\h+(always,exit|exit,always)\h+-F\h+arch=b64\h+-S\h+([^#</l>
<l/>
<l>]+,)?truncate((,\H+)+|(\h+-S\h+\H+)+)?\h+-F\h+(exit=-EPERM|-EPERM=exit)\h+-F\h+auid>=1000\h+-F\h+(auid!=(unset|-1|4294967295)|(unset|-1|4294967295)!=auid)\h+(-k\h+\H+|-F\h*key=\H+)\h*(#.*)?$"</l>
<l/>
</out>
<err>
<l>/root/cis/Assessor/sce/nix_auditd_rule_chk.sh: line 27: auditctl: command not found</l>
</err>
<env/>
</command_result>
</xccdf:check-content>
<evidence xmlns="http://cisecurity.org/evidence">
<div class="sce">
<table class="evidence-sep" width="100%">
<tbody class="tbe">
<tr>
<td class="bold">Script:</td>
<td>sce/nix_auditd_rule_chk.sh</td>
</tr>
<tr>
<td class="bold">Result:</td>
<td class="fail">Fail</td>
</tr>
<tr>
<td class="bold">Exit Value:</td>
<td>102</td>
</tr>
</tbody>
</table>
<table class="evidence" width="100%">
<tbody class="tbe">
<tr>
<td class="bold">Output:</td>
<td>
<ul class="unstyled">
<li>FAILED</li>
<li>No auditd rules were found in any /etc/audit/rules.d/*.rules file matching the regular expression:</li>
<li>"^\h*-a\h+(always,exit|exit,always)\h+-F\h+arch=b64\h+-S\h+([^#</li>
<li/>
<li>]+,)?truncate((,\H+)+|(\h+-S\h+\H+)+)?\h+-F\h+(exit=-EPERM|-EPERM=exit)\h+-F\h+auid>=1000\h+-F\h+(auid!=(unset|-1|4294967295)|(unset|-1|4294967295)!=auid)\h+(-k\h+\H+|-F\h*key=\H+)\h*(#.*)?$"</li>
<li/>
<li>No auditd rules were found in the running config matching the regular expression:</li>
<li>"^\h*-a\h+(always,exit|exit,always)\h+-F\h+arch=b64\h+-S\h+([^#</li>
<li/>
<li>]+,)?truncate((,\H+)+|(\h+-S\h+\H+)+)?\h+-F\h+(exit=-EPERM|-EPERM=exit)\h+-F\h+auid>=1000\h+-F\h+(auid!=(unset|-1|4294967295)|(unset|-1|4294967295)!=auid)\h+(-k\h+\H+|-F\h*key=\H+)\h*(#.*)?$"</li>
<li/>
</ul>
</td>
</tr>
</tbody>
</table>
<table class="evidence" width="100%">
<tbody class="tbe">
<tr>
<td class="bold">Errors:</td>
<td>
<ul>
<li>/root/cis/Assessor/sce/nix_auditd_rule_chk.sh: line 27: auditctl: command not found</li>
</ul>
</td>
</tr>
</tbody>
</table>
</div>
</evidence>
</xccdf:check>
</xccdf:complex-check>
<xccdf:check system="http://open-scap.org/page/SCE"
negate="false"
multi-check="false">
<xccdf:check-export export-name="XCCDF_VALUE_REGEX"
value-id="xccdf_org.cisecurity.benchmarks_value_3995130_var"/>
<xccdf:check-content-ref href="sce/nix_auditd_rule_chk.sh"/>
<xccdf:check-content>
<command_result href="sce/nix_auditd_rule_chk.sh"
xccdf="fail"
script="/root/cis/Assessor/sce/nix_auditd_rule_chk.sh"
exit-value="102">
<out>
<l>FAILED</l>
<l>No auditd rules were found in any /etc/audit/rules.d/*.rules file matching the regular expression:</l>
<l>"^\h*-a\h+(always,exit|exit,always)\h+-F\h+arch=b64\h+-S\h+([^#</l>
<l/>
<l>]+,)?ftruncate((,\H+)+|(\h+-S\h+\H+)+)?\h+-F\h+(exit=-EPERM|-EPERM=exit)\h+-F\h+auid>=1000\h+-F\h+(auid!=(unset|-1|4294967295)|(unset|-1|4294967295)!=auid)\h+(-k\h+\H+|-F\h*key=\H+)\h*(#.*)?$"</l>
<l/>
<l>No auditd rules were found in the running config matching the regular expression:</l>
<l>"^\h*-a\h+(always,exit|exit,always)\h+-F\h+arch=b64\h+-S\h+([^#</l>
<l/>
<l>]+,)?ftruncate((,\H+)+|(\h+-S\h+\H+)+)?\h+-F\h+(exit=-EPERM|-EPERM=exit)\h+-F\h+auid>=1000\h+-F\h+(auid!=(unset|-1|4294967295)|(unset|-1|4294967295)!=auid)\h+(-k\h+\H+|-F\h*key=\H+)\h*(#.*)?$"</l>
<l/>
</out>
<err>
<l>/root/cis/Assessor/sce/nix_auditd_rule_chk.sh: line 27: auditctl: command not found</l>
</err>
<env/>
</command_result>
</xccdf:check-content>
<evidence xmlns="http://cisecurity.org/evidence">
<div class="sce">
<table class="evidence-sep" width="100%">
<tbody class="tbe">
<tr>
<td class="bold">Script:</td>
<td>sce/nix_auditd_rule_chk.sh</td>
</tr>
<tr>
<td class="bold">Result:</td>
<td class="fail">Fail</td>
</tr>
<tr>
<td class="bold">Exit Value:</td>
<td>102</td>
</tr>
</tbody>
</table>
<table class="evidence" width="100%">
<tbody class="tbe">
<tr>
<td class="bold">Output:</td>
<td>
<ul class="unstyled">
<li>FAILED</li>
<li>No auditd rules were found in any /etc/audit/rules.d/*.rules file matching the regular expression:</li>
<li>"^\h*-a\h+(always,exit|exit,always)\h+-F\h+arch=b64\h+-S\h+([^#</li>
<li/>
<li>]+,)?ftruncate((,\H+)+|(\h+-S\h+\H+)+)?\h+-F\h+(exit=-EPERM|-EPERM=exit)\h+-F\h+auid>=1000\h+-F\h+(auid!=(unset|-1|4294967295)|(unset|-1|4294967295)!=auid)\h+(-k\h+\H+|-F\h*key=\H+)\h*(#.*)?$"</li>
<li/>
<li>No auditd rules were found in the running config matching the regular expression:</li>
<li>"^\h*-a\h+(always,exit|exit,always)\h+-F\h+arch=b64\h+-S\h+([^#</li>
<li/>
<li>]+,)?ftruncate((,\H+)+|(\h+-S\h+\H+)+)?\h+-F\h+(exit=-EPERM|-EPERM=exit)\h+-F\h+auid>=1000\h+-F\h+(auid!=(unset|-1|4294967295)|(unset|-1|4294967295)!=auid)\h+(-k\h+\H+|-F\h*key=\H+)\h*(#.*)?$"</li>
<li/>
</ul>
</td>
</tr>
</tbody>
</table>
<table class="evidence" width="100%">
<tbody class="tbe">
<tr>
<td class="bold">Errors:</td>
<td>
<ul>
<li>/root/cis/Assessor/sce/nix_auditd_rule_chk.sh: line 27: auditctl: command not found</li>
</ul>
</td>
</tr>
</tbody>
</table>
</div>
</evidence>
</xccdf:check>
</xccdf:complex-check>
<xccdf:check system="http://open-scap.org/page/SCE"
negate="false"
multi-check="false">
<xccdf:check-export export-name="XCCDF_VALUE_REGEX"
value-id="xccdf_org.cisecurity.benchmarks_value_3995134_var"/>
<xccdf:check-content-ref href="sce/nix_auditd_rule_chk.sh"/>
<xccdf:check-content>
<command_result href="sce/nix_auditd_rule_chk.sh"
xccdf="fail"
script="/root/cis/Assessor/sce/nix_auditd_rule_chk.sh"
exit-value="102">
<out>
<l>FAILED</l>
<l>No auditd rules were found in any /etc/audit/rules.d/*.rules file matching the regular expression:</l>
<l>"^\h*-a\h+(always,exit|exit,always)\h+-F\h+arch=b64\h+-S\h+([^#</l>
<l/>
<l>]+,)?creat((,\H+)+|(\h+-S\h+\H+)+)?\h+-F\h+(exit=-EPERM|-EPERM=exit)\h+-F\h+auid>=1000\h+-F\h+(auid!=(unset|-1|4294967295)|(unset|-1|4294967295)!=auid)\h+(-k\h+\H+|-F\h*key=\H+)\h*(#.*)?$"</l>
<l/>
<l>No auditd rules were found in the running config matching the regular expression:</l>
<l>"^\h*-a\h+(always,exit|exit,always)\h+-F\h+arch=b64\h+-S\h+([^#</l>
<l/>
<l>]+,)?creat((,\H+)+|(\h+-S\h+\H+)+)?\h+-F\h+(exit=-EPERM|-EPERM=exit)\h+-F\h+auid>=1000\h+-F\h+(auid!=(unset|-1|4294967295)|(unset|-1|4294967295)!=auid)\h+(-k\h+\H+|-F\h*key=\H+)\h*(#.*)?$"</l>
<l/>
</out>
<err>
<l>/root/cis/Assessor/sce/nix_auditd_rule_chk.sh: line 27: auditctl: command not found</l>
</err>
<env/>
</command_result>
</xccdf:check-content>
<evidence xmlns="http://cisecurity.org/evidence">
<div class="sce">
<table class="evidence-sep" width="100%">
<tbody class="tbe">
<tr>
<td class="bold">Script:</td>
<td>sce/nix_auditd_rule_chk.sh</td>
</tr>
<tr>
<td class="bold">Result:</td>
<td class="fail">Fail</td>
</tr>
<tr>
<td class="bold">Exit Value:</td>
<td>102</td>
</tr>
</tbody>
</table>
<table class="evidence" width="100%">
<tbody class="tbe">
<tr>
<td class="bold">Output:</td>
<td>
<ul class="unstyled">
<li>FAILED</li>
<li>No auditd rules were found in any /etc/audit/rules.d/*.rules file matching the regular expression:</li>
<li>"^\h*-a\h+(always,exit|exit,always)\h+-F\h+arch=b64\h+-S\h+([^#</li>
<li/>
<li>]+,)?creat((,\H+)+|(\h+-S\h+\H+)+)?\h+-F\h+(exit=-EPERM|-EPERM=exit)\h+-F\h+auid>=1000\h+-F\h+(auid!=(unset|-1|4294967295)|(unset|-1|4294967295)!=auid)\h+(-k\h+\H+|-F\h*key=\H+)\h*(#.*)?$"</li>
<li/>
<li>No auditd rules were found in the running config matching the regular expression:</li>
<li>"^\h*-a\h+(always,exit|exit,always)\h+-F\h+arch=b64\h+-S\h+([^#</li>
<li/>
<li>]+,)?creat((,\H+)+|(\h+-S\h+\H+)+)?\h+-F\h+(exit=-EPERM|-EPERM=exit)\h+-F\h+auid>=1000\h+-F\h+(auid!=(unset|-1|4294967295)|(unset|-1|4294967295)!=auid)\h+(-k\h+\H+|-F\h*key=\H+)\h*(#.*)?$"</li>
<li/>
</ul>
</td>
</tr>
</tbody>
</table>
<table class="evidence" width="100%">
<tbody class="tbe">
<tr>
<td class="bold">Errors:</td>
<td>
<ul>
<li>/root/cis/Assessor/sce/nix_auditd_rule_chk.sh: line 27: auditctl: command not found</li>
</ul>
</td>
</tr>
</tbody>
</table>
</div>
</evidence>
</xccdf:check>
</xccdf:complex-check>
<xccdf:check system="http://open-scap.org/page/SCE"
negate="false"
multi-check="false">
<xccdf:check-export export-name="XCCDF_VALUE_REGEX"
value-id="xccdf_org.cisecurity.benchmarks_value_3995138_var"/>
<xccdf:check-content-ref href="sce/nix_auditd_rule_chk.sh"/>
<xccdf:check-content>
<command_result href="sce/nix_auditd_rule_chk.sh"
xccdf="fail"
script="/root/cis/Assessor/sce/nix_auditd_rule_chk.sh"
exit-value="102">
<out>
<l>FAILED</l>
<l>No auditd rules were found in any /etc/audit/rules.d/*.rules file matching the regular expression:</l>
<l>"^\h*-a\h+(always,exit|exit,always)\h+-F\h+arch=b64\h+-S\h+([^#</l>
<l/>
<l>]+,)?openat((,\H+)+|(\h+-S\h+\H+)+)?\h+-F\h+(exit=-EPERM|-EPERM=exit)\h+-F\h+auid>=1000\h+-F\h+(auid!=(unset|-1|4294967295)|(unset|-1|4294967295)!=auid)\h+(-k\h+\H+|-F\h*key=\H+)\h*(#.*)?$"</l>
<l/>
<l>No auditd rules were found in the running config matching the regular expression:</l>
<l>"^\h*-a\h+(always,exit|exit,always)\h+-F\h+arch=b64\h+-S\h+([^#</l>
<l/>
<l>]+,)?openat((,\H+)+|(\h+-S\h+\H+)+)?\h+-F\h+(exit=-EPERM|-EPERM=exit)\h+-F\h+auid>=1000\h+-F\h+(auid!=(unset|-1|4294967295)|(unset|-1|4294967295)!=auid)\h+(-k\h+\H+|-F\h*key=\H+)\h*(#.*)?$"</l>
<l/>
</out>
<err>
<l>/root/cis/Assessor/sce/nix_auditd_rule_chk.sh: line 27: auditctl: command not found</l>
</err>
<env/>
</command_result>
</xccdf:check-content>
<evidence xmlns="http://cisecurity.org/evidence">
<div class="sce">
<table class="evidence-sep" width="100%">
<tbody class="tbe">
<tr>
<td class="bold">Script:</td>
<td>sce/nix_auditd_rule_chk.sh</td>
</tr>
<tr>
<td class="bold">Result:</td>
<td class="fail">Fail</td>
</tr>
<tr>
<td class="bold">Exit Value:</td>
<td>102</td>
</tr>
</tbody>
</table>
<table class="evidence" width="100%">
<tbody class="tbe">
<tr>
<td class="bold">Output:</td>
<td>
<ul class="unstyled">
<li>FAILED</li>
<li>No auditd rules were found in any /etc/audit/rules.d/*.rules file matching the regular expression:</li>
<li>"^\h*-a\h+(always,exit|exit,always)\h+-F\h+arch=b64\h+-S\h+([^#</li>
<li/>
<li>]+,)?openat((,\H+)+|(\h+-S\h+\H+)+)?\h+-F\h+(exit=-EPERM|-EPERM=exit)\h+-F\h+auid>=1000\h+-F\h+(auid!=(unset|-1|4294967295)|(unset|-1|4294967295)!=auid)\h+(-k\h+\H+|-F\h*key=\H+)\h*(#.*)?$"</li>
<li/>
<li>No auditd rules were found in the running config matching the regular expression:</li>
<li>"^\h*-a\h+(always,exit|exit,always)\h+-F\h+arch=b64\h+-S\h+([^#</li>
<li/>
<li>]+,)?openat((,\H+)+|(\h+-S\h+\H+)+)?\h+-F\h+(exit=-EPERM|-EPERM=exit)\h+-F\h+auid>=1000\h+-F\h+(auid!=(unset|-1|4294967295)|(unset|-1|4294967295)!=auid)\h+(-k\h+\H+|-F\h*key=\H+)\h*(#.*)?$"</li>
<li/>
</ul>
</td>
</tr>
</tbody>
</table>
<table class="evidence" width="100%">
<tbody class="tbe">
<tr>
<td class="bold">Errors:</td>
<td>
<ul>
<li>/root/cis/Assessor/sce/nix_auditd_rule_chk.sh: line 27: auditctl: command not found</li>
</ul>
</td>
</tr>
</tbody>
</table>
</div>
</evidence>
</xccdf:check>
</xccdf:complex-check>
</xccdf:rule-result>